add kafka

Author: sbtaylor15

events/Kafka Event Schema.md

@@ -0,0 +1,82 @@
+# Release Sync Kafka Event Schema Documentation
+
+## Overview
+
+This schema defines a unified event contract for the PDVD system. It combines software release metadata, storage references for SBOMs, and deployment endpoint information into a single message. This structure ensures that events processed via Kafka trigger the same validation, deduplication, and automated CVE linking logic as the REST API.
+
+---
+
+## Top-Level Properties
+
+* **event_type** (string, Required): Unique identifier for the event logic (e.g., `release.sync.created`).
+* **event_id** (string, Required): A unique UUID for message tracking and deduplication.
+* **event_time** (string, Required): The ISO 8601 timestamp when the event was generated.
+* **synced_at** (string, Optional): The ISO 8601 timestamp of the actual deployment. If omitted, the system defaults to the current processing time.
+
+---
+
+## 1. Release Object
+
+Contains core metadata for the software component.
+
+* **name** (string, Required): The full name of the release (e.g., "org/repo").
+* **version** (string, Required): The version string, automatically cleaned and parsed into SemVer components during ingestion.
+* **projecttype** (string, Optional): The category of project (e.g., `docker`, `container`, `git`).
+* **gitcommit** (string, Optional): The Git SHA associated with the release.
+* **dockersha** (string, Optional): The Docker Image Digest.
+* **is_public** (boolean, Default: `true`): Visibility flag for the release.
+
+---
+
+## 2. SBOM Reference Object
+
+Describes how to retrieve the SBOM content for security analysis.
+
+* **cid** (string, Required): The IPFS Content Identifier where the JSON SBOM is stored.
+* **storage_type** (string, Required): The backend storage provider. Allowed values: `["ipfs", "s3"]`.
+* **content_sha** (string, Optional): A SHA256 hash of the SBOM content for integrity verification.
+* **uploaded_at** (string, Optional): Timestamp when the SBOM was persisted to the storage backend.
+
+---
+
+## 3. Endpoint Object
+
+Defines the deployment target for MTTR and lifecycle tracking.
+
+* **name** (string, Required): Unique name of the environment or cluster (e.g., "prod-us-east-1").
+* **endpoint_type** (string, Required): The infrastructure category. Supported types include `eks`, `lambda`, `gke`, `fargate`, `iot`, and `mission_asset`.
+* **environment** (string, Required): The environment designation (e.g., `production`, `staging`).
+* **is_public** (boolean, Default: `true`): Visibility flag for the endpoint.
+
+---
+
+## Example JSON Payload
+
+```json
+{
+  "event_type": "release.sync.created",
+  "event_id": "550e8400-e29b-41d4-a716-446655440000",
+  "event_time": "2023-10-27T10:00:00Z",
+  "synced_at": "2023-10-27T09:55:00Z",
+  "release": {
+    "name": "ortelius/reporting-service",
+    "version": "v1.2.3",
+    "projecttype": "docker",
+    "gitcommit": "af32c1b",
+    "dockersha": "sha256:45b34006...77a",
+    "is_public": true
+  },
+  "sbom_ref": {
+    "cid": "QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco",
+    "storage_type": "ipfs",
+    "content_sha": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+    "uploaded_at": "2023-10-27T09:50:00Z"
+  },
+  "endpoint": {
+    "name": "production-cluster-01",
+    "endpoint_type": "eks",
+    "environment": "production",
+    "is_public": true
+  }
+}
+```

events/kafka.json

@@ -0,0 +1,69 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "properties": {
+    "event_type": {
+      "type": "string",
+      "description": "Type of event, e.g., 'release.sync.created'"
+    },
+    "event_id": {
+      "type": "string",
+      "format": "uuid"
+    },
+    "event_time": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "release": {
+      "type": "object",
+      "description": "The ProjectRelease metadata",
+      "properties": {
+        "name": { "type": "string" },
+        "version": { "type": "string" },
+        "projecttype": { "type": "string" },
+        "gitcommit": { "type": "string" },
+        "dockersha": { "type": "string" },
+        "is_public": { "type": "boolean", "default": true }
+      },
+      "required": ["name", "version"]
+    },
+    "sbom_ref": {
+      "type": "object",
+      "description": "Reference to the stored SBOM content",
+      "properties": {
+        "cid": { "type": "string", "description": "IPFS CID of the SBOM content" },
+        "storage_type": { "type": "string", "enum": ["ipfs", "s3"] },
+        "content_sha": { "type": "string" },
+        "uploaded_at": { "type": "string", "format": "date-time" }
+      },
+      "required": ["cid", "storage_type"]
+    },
+    "endpoint": {
+      "type": "object",
+      "description": "The deployment target (Endpoint) metadata",
+      "properties": {
+        "name": { "type": "string" },
+        "endpoint_type": { 
+          "type": "string", 
+          "enum": ["cluster", "ec2", "lambda", "ecs", "eks", "gke", "aks", "fargate", "edge", "iot", "mission_asset"] 
+        },
+        "environment": { "type": "string" },
+        "is_public": { "type": "boolean", "default": true }
+      },
+      "required": ["name", "endpoint_type", "environment"]
+    },
+    "synced_at": {
+      "type": "string",
+      "format": "date-time",
+      "description": "Timestamp of the deployment sync"
+    }
+  },
+  "required": [
+    "event_type",
+    "event_id",
+    "event_time",
+    "release",
+    "sbom_ref",
+    "endpoint"
+  ]
+}

events/modules/releases/handler.go

@@ -0,0 +1,65 @@
+package release
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+
+	"github.com/ortelius/pdvd-backend/v12/model"
+)
+
+type SBOMFetcher interface {
+	FetchSBOM(ctx context.Context, cid string) ([]byte, error)
+}
+
+type ReleaseService interface {
+	CreateRelease(ctx context.Context, release model.ReleaseWithSBOM) error
+}
+
+func HandleReleaseSBOMCreatedWithService(
+	ctx context.Context,
+	msg []byte,
+	fetcher SBOMFetcher,
+	service ReleaseService,
+) error {
+	var event ReleaseSBOMCreatedEvent
+	if err := json.Unmarshal(msg, &event); err != nil {
+		return fmt.Errorf("failed to unmarshal ReleaseSBOMCreatedEvent: %w", err)
+	}
+
+	if event.Release.Name == "" || event.Release.Version == "" || event.SBOMRef.CID == "" {
+		return fmt.Errorf("invalid event: missing required fields")
+	}
+
+	log.Printf("Processing release %s@%s (CID=%s)", event.Release.Name, event.Release.Version, event.SBOMRef.CID)
+
+	sbomData, err := fetcher.FetchSBOM(ctx, event.SBOMRef.CID)
+	if err != nil {
+		return fmt.Errorf("failed to fetch SBOM for CID %s: %w", event.SBOMRef.CID, err)
+	}
+
+	releaseWithSBOM := model.ReleaseWithSBOM{
+		ProjectRelease: model.ProjectRelease{
+			Name:        event.Release.Name,
+			Version:     event.Release.Version,
+			GitCommit:   event.Release.GitCommit,
+			DockerSha:   event.Release.DockerSha,
+			ProjectType: event.Release.ProjectType,
+			IsPublic:    event.Release.IsPublic,
+		},
+		SBOM: model.SBOM{
+			Content: sbomData,
+		},
+	}
+
+	releaseWithSBOM.ParseAndSetNameComponents()
+	releaseWithSBOM.ParseAndSetVersion()
+
+	if err := service.CreateRelease(ctx, releaseWithSBOM); err != nil {
+		return fmt.Errorf("internal service error: %w", err)
+	}
+
+	log.Printf("Successfully processed release %s@%s", event.Release.Name, event.Release.Version)
+	return nil
+}

events/modules/releases/producer.go

@@ -0,0 +1,62 @@
+package release
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/ortelius/pdvd-backend/v12/model"
+	"github.com/segmentio/kafka-go"
+)
+
+// ReleaseProducer handles sending SBOM creation events to Kafka
+type ReleaseProducer struct {
+	Writer *kafka.Writer
+}
+
+// NewReleaseProducer initializes a new Kafka writer for release events
+func NewReleaseProducer(brokers []string, topic string) *ReleaseProducer {
+	return &ReleaseProducer{
+		Writer: &kafka.Writer{
+			Addr:     kafka.TCP(brokers...),
+			Topic:    topic,
+			Balancer: &kafka.LeastBytes{},
+		},
+	}
+}
+
+// PublishReleaseSBOMCreated sends the event to the Kafka topic
+func (p *ReleaseProducer) PublishReleaseSBOMCreated(ctx context.Context, release model.ProjectRelease, cid string) error {
+
+	// Construct the Event Contract
+	event := ReleaseSBOMCreatedEvent{
+		EventType:     "release.sbom.created",
+		EventID:       uuid.New().String(),
+		EventTime:     time.Now().UTC(),
+		SchemaVersion: "v1",
+		Release:       release,
+		SBOMRef: SBOMReference{
+			CID:         cid,
+			StorageType: "ipfs", // Default storage type for the system
+			UploadedAt:  time.Now().UTC(),
+		},
+	}
+
+	// Marshal to JSON
+	payload, err := json.Marshal(event)
+	if err != nil {
+		return err
+	}
+
+	// Write to Kafka
+	return p.Writer.WriteMessages(ctx, kafka.Message{
+		Key:   []byte(release.Name),
+		Value: payload,
+	})
+}
+
+// Close cleans up the Kafka writer
+func (p *ReleaseProducer) Close() error {
+	return p.Writer.Close()
+}

events/modules/releases/types.go

@@ -0,0 +1,38 @@
+package release
+
+import (
+	"time"
+
+	"github.com/ortelius/pdvd-backend/v12/model"
+)
+
+type ReleaseSBOMCreatedEvent struct {
+	EventType     string    `json:"event_type"`
+	EventID       string    `json:"event_id"`
+	EventTime     time.Time `json:"event_time"`
+	SchemaVersion string    `json:"schema_version"`
+
+	Release model.ProjectRelease `json:"release"`
+
+	SBOMRef SBOMReference `json:"sbom_ref"`
+}
+
+// SBOMReference describes where an SBOM is stored and how it can be retrieved.
+type SBOMReference struct {
+	// IPFS CID returned by the SBOM ingestion Lambda
+	CID string `json:"cid"`
+
+	// Storage backend identifier (e.g. "ipfs+s3", "ipfs")
+	StorageType string `json:"storage_type"`
+
+	// Optional S3 details
+	Bucket    string `json:"bucket,omitempty"`
+	ObjectKey string `json:"object_key,omitempty"`
+
+	// Optional integrity metadata
+	ContentSha string `json:"content_sha,omitempty"`
+	SizeBytes  int64  `json:"size_bytes,omitempty"`
+
+	// Timestamp when the SBOM was persisted
+	UploadedAt time.Time `json:"uploaded_at"`
+}

go.mod

@@ -9,12 +9,14 @@ require (
 	github.com/arangodb/go-driver/v2 v2.1.6
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/go-git/go-git/v5 v5.16.4
-	github.com/gofiber/fiber/v2 v2.52.10
-	github.com/golang-jwt/jwt/v5 v5.3.0
+	github.com/gofiber/fiber/v2 v2.52.11
+	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/osv-scanner v1.9.2
+	github.com/google/uuid v1.6.0
 	github.com/graphql-go/graphql v0.8.1
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/pandatix/go-cvss v0.6.2
+	github.com/segmentio/kafka-go v0.4.50
 	go.uber.org/zap v1.27.1
 	golang.org/x/crypto v0.47.0
 	gopkg.in/yaml.v2 v2.4.0
@@ -28,8 +30,8 @@ require (
 	github.com/aquasecurity/go-version v0.0.1 // indirect
 	github.com/arangodb/go-velocypack v0.0.0-20200318135517-5af53c29c67e // indirect
 	github.com/clipperhouse/stringish v0.1.1 // indirect
-	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
-	github.com/cloudflare/circl v1.6.2 // indirect
+	github.com/clipperhouse/uax29/v2 v2.5.0 // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
 	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dchest/siphash v1.2.3 // indirect
@@ -38,15 +40,15 @@ require (
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.7.0 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
-	github.com/google/uuid v1.6.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.4.0 // indirect
 	github.com/kkdai/maglev v0.2.0 // indirect
-	github.com/klauspost/compress v1.18.2 // indirect
+	github.com/klauspost/compress v1.18.3 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/pierrec/lz4/v4 v4.1.25 // indirect
 	github.com/pjbgf/sha1cd v0.5.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect